Dropbox Breach Exposes 68 Million Passwords

Yet another breach from 2012 comes back to haunt users in 2016, but Dropbox says there is nothing to worry about. Is it right?

Dropbox warned its users last week that if they haven't updated their passwords since 2012, they would be prompted to update them. As it turns out, the reason for the password reset is related to a breach originally disclosed in 2012, which is now exposing the credentials of approximately 68 million Dropbox users.
For its part, Dropbox is emphasizing that it has contained the risk and is taking the appropriate steps to protect users.
"This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed," Patrick Heim, head of Trust and Security at Dropbox, said in a statement sent to eWEEK. "Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012."
Hashing provides a degree of randomness and protection for passwords, making them more difficult for an attacker to use. A salt is a random data element that is included in a hash to make it even more secure. Going a step further, though 68 million user accounts are impacted, Heim noted that Dropbox has taken the right actions to secure users.

"We can confirm that the scope of the password reset we completed last week did protect all impacted users," he said. "Even if these passwords are cracked, the password reset means they can't be used to access Dropbox accounts."

Heim added that the reset only affects users who signed up for Dropbox prior to mid-2012 and hadn't changed their password since. Though Dropbox account passwords have been reset, he suggested that users who may have reused their password on other sites should update those passwords as well. And he recommended that users make use of two-factor authentication.
Security experts contacted by eWEEK had a few additional suggestions for Dropbox on how to further improve security.
"Dropbox should have had password expiration (i.e., reset password every X days) and should implement it now," John Bambenek, senior threat researcher at Fidelis Cybersecurity, told eWEEK.
Presumably Dropbox has made internal changes to prevent a similar breach, according to Cris Thomas, strategist at Tenable Network Security, and having users change passwords even when the originals were salted and hashed doesn't hurt.
Georgia Weidman, CTO and founder of Shevirah, said it sounds like Dropbox is doing all the right things with regard to employee passwords now, with a password management system and two-factor authentication. Unfortunately keeping employees from using their corporate credentials on other external sites is not something that can be easily done with policy and controls.
"In the end, providers like Dropbox have an obligation to save users from themselves," Weidman told eWEEK. "If users use poor passwords, leave them unchanged for years or reuse passwords from compromised sites, the service should proactively discover this and prompt the user to adopt better hygiene."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.